<?php
	session_start();
	include "include.php";
?>
<html>
<head>
<title><?php echo $SITE_TITLE ?> - Change Password</title>
<link rel="stylesheet" type="text/css" href="main.css" /></head>
<div id="container">
<div id="top">
<h1><?php echo $SITE_TITLE ?></h1>
</div>
<div id="leftnav">
</div>
<div id="content">
<?php
	mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die(mysql_error());
	mysql_select_db(DB_NAME);
	$sql = "SELECT * from users WHERE users_id = " . get_user_id() . ";";
	$result = mysql_query($sql);
	if(mysql_num_rows($result) < 1) {
		echo "User not found or password incorrect.<br><a href=\"" . $SITE_URL . "change_password.php\">Try Again</a>";
	}
	else {
		$myrow = mysql_fetch_row($result);
		$password = md5($myrow[3].$_POST["old_password"]);
		if($password != $myrow[2]) {
			echo "Old password does not match.<br><a href=\"" . $SITE_URL . "change_password.php\">Try Again</a>";
		}
		else {
			if($_POST["new_password"] != $_POST["confirm_password"]) {
				echo "New password does not match.<br><a href=\"" . $SITE_URL . "change_password.php\">Try Again</a>";
			}
			else {
				$salt = md5(uniqid(rand(), true));
				$salt = substr($salt, 0, 50);
				$sql = "UPDATE users SET users_password='" . md5($salt.$_POST["new_password"]) . "', users_salt='" . $salt . "' WHERE users_id=" . get_user_id() . ";";
				$result = mysql_query($sql);
				echo "Password changed.<br><a href=\"" . $SITE_URL . "\">Return to homepage</a>";
			}
		}
	}
	$_SESSION["change_password"] = 0;
	$_SESSION["changing_password"] = 0;
?>
</div>
<div id="footer">
<?php include "footer.php" ?>
</div>
</div>
</body>
</html>
